This attempts to fix the places where we do the following where
arithmetic_expr may include unvalidated data:
X = grub_malloc(arithmetic_expr);
It accomplishes this by doing the arithmetic ahead of time using grub_add(),
grub_sub(), grub_mul() and testing for overflow before proceeding.
Among other issues, this fixes:
- allocation of integer overflow in grub_video_bitmap_create()
reported by Chris Coulson,
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in grub_squash_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in grub_ext2_read_symlink()
reported by Chris Coulson,
- allocation of integer overflow in read_section_as_string()
reported by Chris Coulson.
Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This modifies most of the places we do some form of:
X = malloc(Y * Z);
to use calloc(Y, Z) instead.
Among other issues, this fixes:
- allocation of integer overflow in grub_png_decode_image_header()
reported by Chris Coulson,
- allocation of integer overflow in luks_recover_key()
reported by Chris Coulson,
- allocation of integer overflow in grub_lvm_detect()
reported by Chris Coulson.
Fixes: CVE-2020-14308
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
written bytes.
(grub_get_num_of_utf8_bytes): New function.
(grub_ucs4_to_utf8_alloc): Use grub_get_num_of_utf8_bytes.
* grub-core/normal/menu_entry.c (run): Convert entry to UTF-8 before
executing it.
* include/grub/charset.h (grub_get_num_of_utf8_bytes): New proto.
(grub_ucs4_to_utf8): Change return type.
* grub-core/normal/charset.c (grub_unicode_aglomerate_comb): Don't
agglomerate control characters with combining marks.
(bidi_line_wrap): Allow break on tab.
(grub_unicode_get_comb_start): New function.
* grub-core/normal/menu_entry.c: Restructure to handle wide characters
and tab correctly.
* grub-core/normal/menu_text.c (print_entry): Replace \n, \r, \b and \e
with a space.
* grub-core/normal/term.c (print_ucs4_terminal): New argument
fixed_tab_size. All users updated.
* include/grub/term.h (GRUB_TERM_TAB_WIDTH): New const.
(grub_term_getcharwidth): Handle \t.
* include/grub/unicode.h (grub_unicode_glyph_dup): Fix allocation
and copy.
* config.h.in (RE_ENABLE_I18N) [!GRUB_UTIL]: New define.
* grub-core/lib/posix_wrap/ctype.h (islower): Use grub_islower.
(isupper): Use grub_isupper.
(isascii): New inline function.
* grub-core/lib/posix_wrap/wchar.h: Replace dummy with real contents.
* grub-core/lib/posix_wrap/wctype.h: Likewise.
* grub-core/normal/charset.c (grub_utf8_process): New function.
(grub_utf8_to_utf16): Use grub_utf8_process.
(grub_encode_utf8_character): New function.
(grub_ucs4_to_utf8): Use grub_encode_utf8_character.
* include/grub/charset.h (grub_utf8_process): New declaration.
(grub_encode_utf8_character): Likewise.
* include/grub/misc.h (grub_islower): New inline function.
(grub_isupper): Likewise.
(grub_strchrsub): Moved down to fix the definitions.
Peter Jones